In reading this article, “Raising the red flag on recent DMARC hype, https://gcn.com/articles/2018/02/02/dmarc-email-security-hype.aspx, I find that the author is misinformed on the process of implementing DMARC. DMARC itself is certainly not a silver bullet, but a mechanism that seeks to expose and to some degree fix the issues of the humble email that has had very little change since its inception back in the 1970s. And yet, its benefits are substantial.
An email security strategy would involve aspects such as phishing simulation and broader security awareness training such as Ironschool and O’Phish, post delivery email scanning of inbox such as GreatHorn’s Inbound Email security and of course DMARC amongst others.
The road to perfection is long and challenging but the process starts from the very first small step, and there will be many small steps along the way. The Japanese culture knows this process of seeking perfection very well. They call it "Kaizen" - meaning improvement. In quality management this refers to activities that continuously improve all functions. But I digress!
Yes, there is hype around DMARC and what it can accomplish, and you have covered its flaws quite well.
But, you haven't discussed how to overcome those flaws - Ingressum calls this process DMARC Compliance.
Wannacry was a wake up call - to everyone !! The person serving you your lunch has heard about it - no disrespect intended.
It's reasonable to believe that following this massive issue that played out on a global stage, patch management would be front and centre on every executive's operational focus.
In fact, there are only so many variations you can use for the same theme - we covered it here - Server and workstation patching for nuclear-utilities.
When working through an issue, it’s always best to have some type of statistical data to base a decision or to build a business case for a potential change. Of course we also need to keep in mind not to the taint the data and mold it into our predetermined or preferred premise.
The assertion has always been that implementing DMARC into your email domains and undergoing a DMARC Compliance program will improve email deliverability based on higher IP reputation.
I’ve seen this occur on many occasions as many customers have initiated such projects to ultimately get back control of their email domains., ie audited all senders – internal and 3rd party, updated SPF and DKIM requirements as discussed here- Starting-your-spf-journey-add-dmarc-for-greater-success
An entity that is required to comply with the Privacy Act 1988 must take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This extends to situations where an entity engages a third party to store, maintain or process personal information on its behalf.
New provisions will take effect on the 22nd February 2018.
In February, 2017, the Australian Commonwealth government passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which will amend the Privacy Act, making it mandatory for companies and organisations to report “eligible data breaches” to the Office of the Australian Information Commissioner (OAIC) and any affected, at-risk individuals.
There’s an old saying that rings true most of the time and way too often namely “the plumber’s house has the worst plumbing in the street, or relating it back to technology “an online service provider still running on physical non virtualized servers”. The key message here is that for those that should know better and lead by example and apply their own recommendations back into their own systems they fall short of the objective.
Email spoofing aka spear phishing, whaling, CEO email fraud, BEC (business email compromise) and probably afew others used interchangeably, has caught out many organizations, specifically large multinationals that have functional teams distributed across many centres around the globe.
News report that broke this past week of a Lithuanian national being charged with connection to a $100M USD email spoofing attack against two USA global tech giants, that have not been named, proved surprising for me. Talk on the street is that one of the tech giants makes smartphones and we’re not talking about android !!
Running a quick check on the DMARC record for that domain using dmarcian’s DMARC Inspector (https://dmarcian-ap.com/dmarc-inspector/) proved insightful and disappointing.
Following this news story, an important key lesson for the rest of us.
Going back about 12 months, we covered a similar story - Executives / CxO level targeted in CEO Email Abuse scams.
It was in 1742 that Thomas Gray penned a famous poem about young innocence unknowing or even uninterested in the challenges ahead in adult life. You yourself would be familiar with this poem based on its closing statement “Innocence is bliss, ‘tis folly to be wise.”
Starting in mid-February of this year, a massive cyber-attack began, originally targeting the Linkedin brand. By the end of the month, the same technique was used to generate massive amounts of generic malicious spam impacting most of the legitimate TLD domains – globally!! The cyber-attack used a simple technique of “using” a subdomain of a TLD domain ie “linkedin.mybank.com” and using that as the basis in the FROM field of an email. So your inbox would have an email similar to the picture below.
Well over 2 thousand years ago, Aristotle, a Greek philosopher, defined a concept that we know and use today – that of causality typically known as “cause and effect”. In fact, he proposed that causality has 4 contributing factors or causes, that can identify the reason of anything occurring.
Don’t worry – you haven’t landed on Philisophy_101.com, but as I sit here and type away on my laptop, I am truly awed and deeply humbled at the incredible intelligence of these early scientists and philosophers that lived in the 3rd century BC.
Back to the present day, and Aristotle can still help all of us in our fight against cybercrime, specifically against those confidence tricksters that impersonate our favourite brands.
The FBI has reported in recent times, email domain impersonation or spoofing has cost us a staggering $2 billion USD over a period of only 2 years !!
This week, another major secure email gateway provider aka anti virus provider, announced new features to deal with the growing problem of business email compromise (BEC) or email spoofing.
Business Email Compromise (BEC), CEO email abuse, spear phishing, whaling, email domain spoofing – these are some of the terms that are used to describe a specific attack against an organisation where a key aspect in the attack is the use of their email domain.
The attack typically involves the use of the email domain somewhere in the email header to impersonate a legitimate email from that organisation. This process works best in conjunction with the weakest link in the chain, namely the Human ! Our brains relate well to the familiar so when we see an email that looks like it came from someone we know, we immediately stop thinking and click the link or the attachment and BANG we just opened the door to a malicious virus or ransomware and the rest of our working week will becoming very stressful !!